Create constraints for "cryptographic-module" components

[Rene2mt]

Constraint Task

Consistent with issue #606, this tasks focuses on creating constraints for cryptographic modules.

Intended Outcome

Ensure that:

• cryptographic modules are defined in their own component of type "software" and
  • must have a prop[@name="asset-type" and @value="cryptographic-module"]
  • must be linked (via link) to the components that use them.
• cryptographic modules must have:
  • "software-name" prop
  • "software-version" prop
  • "vendor-name" prop
  • "function" FedRAMP extension prop with property remarks
  • Allowed values for "function" FedRAMP extension prop are: "data-at-rest", "data-in-transit", and "other".
    • If the "function" value is set to "other", then the property's remarks must be used to provide more details.
• cryptographic module components must have at least one "provided-by" link
• cryptographic module components must have at least one "used-by" link
• cryptographic module components must have at least one "validation" link that represents either a FIPS 140-2 or FIPS 140-3 validation component
• a FIPS 140-2 or FIPS 140-3 "validation" component must:
  • be a component with type="validation"
  • have a "asset-type" prop with value set to "cryptographic-module"
  • have a "validation-type" prop with value set to either "fips-140-2" or "fips-140-3" -> //component[ @type='validation' and ./prop[@name='asset-type' and @value='cryptographic-module'] and ./prop[@name='validation-type' and @value=('fips-140-2', 'fips-140-3')] ]

Syntax Type

This is required core OSCAL syntax.

Allowed Values

There are no relevant allowed values.

Metapath(s) to Content

context="//component[@type='software' and ./prop[@name='asset-type' and @value='cryptographic-module']]"

Purpose of the OSCAL Content

No response

Dependencies

No response

Acceptance Criteria

• All OSCAL adoption content affected by the change in this issue have been updated in accordance with the Documentation Standards.
  • Explanation is present and accurate
  • sample content is present and accurate
  • Metapath is present, accurate, and does not throw a syntax exception using oscal-cli metaschema metapath eval -e "expression".
• All constraints associated with the review task have been created
• The appropriate example OSCAL file is updated with content that demonstrates the FedRAMP-compliant OSCAL presentation.
• The constraint conforms to the FedRAMP Constraint Style Guide.
  • All automated and manual review items that identify non-conformance are addressed; or technical leads (David Waltermire; AJ Stein) have approved the PR and “override” the style guide requirement.
• Known good test content is created for unit testing.
• Known bad test content is created for unit testing.
• Unit testing is configured to run both known good and known bad test content examples.
• Passing and failing unit tests, and corresponding test vectors in the form of known valid and invalid OSCAL test files, are created or updated for each constraint.
• A Pull Request (PR) is submitted that fully addresses the goals section of the User Story in the issue.
• This issue is referenced in the PR.

Other information

No response